EU U-turn means business as usual for dealers use of customer data

An about face by European authorities means dealer marketers and service centres fearing the worst from the forthcoming data law now have reason to be far more optimistic.

The last official statement indicated the likelihood of a law in which opt in permission would need to be based on consumers electing to receive messages based on narrowly defined subject matter and communications channel (the General Data Protection Regulation was due to come into effect before the end of 2017).

According to the latest report this is now not the case more, and regulation will be more or less what is currently in place.

In addition, the probable threat to digital advertising and profiling has been lifted after it was decided any marketing data that cannot directly identify an individual can be used freely.

The three authorities responsible for deciding the new regulations – the EU Parliament, Commission and Council – have for the time being relented from their previous stance and put the interests of business, and in particular SMEs, first.

For automotive marketers the previous stance of requiring consumers to agree to opt in to specific subjects and forms of communication before any messaging could take place has been replaced with consent needing to be ‘unambiguous’ as the key qualification.

Without the change in policy it would have ruled out any leeway to send generic sales messages.

Specific subject matter would have had to have been agreed with consumers in advance, and sent by a method also agreed.

The key criteria for opt in consent now is being clear in proposing that communication will take place with an emphasis on transparency and plain language.

The policy change is based on the technicality of legitimate interest now being considered reason for companies to use personal data for marketing purposes.

The revised draft of the law more or less mirrors existing UK rules regarding consent, though all opt in terms and conditions will need to be re-written.

Plus there are non-specific warnings that data users will have to more rigidly abide by the law, and make careful assessments of relationships with individuals.

Quite what this means and how it will manifest itself is unclear.

“The latest news on the negotiations paints a much more positive picture than the previous update.

“As it currently stands the EU data law looks similar to the rules we operate under now, although there will be a need to make adapt to the new regulations with changes such as such as altering consent opt in terms,” said Dene Walsh, operations and compliance director of Verso Group and chair of enforcement and regulation hub, Direct Marketing Association Contact Centre and Telemarketing Council.

'Perhaps more significantly, the Information Commissioners Office will become bigger and much more proactive in the lead up to the change in legislation.

“Rather than reacting to complaints, it is now going out and seeking offenders on a large scale.

“The new EU regulations are a useful reminder to companies to tighten up their data protocol because most have let data compliance slip, and law from Brussels should be used as a call to action that will save many companies from the increasingly large fines given out.’

Punishment for breaches of the new law are proposed as being as high as 4 per cent of turnover, which for major corporations applies to global income.

The previous statement from the European bodies in October declared there would be no use of tracking data, and no profiling or segmentation without explicit consent.

It was said to threaten the future of digital advertising.

But now any data that cannot directly identify an individual is considered to be within the boundaries of use.

However, in terms of profiling there will be the right of consumers to opt out.

Whether or not online identifiers such as cookies fall into the definition of personal data will under the new regulations, depend on where they are placed in the online inventory.

A cookie placed by an internet service provider will be classified as personal data as it could identify the individual, but a cookie placed by an advertiser that cannot be linked to an email address or any other personal information is not likely to be presumed personal data.

The is a massive about face by the European authorities.

There was also concern that companies would be forced to appoint internal data protection officers, but any thoughts of mandatory appointments for SMEs has gone.

For larger companies, and those that specialise in processing data, such a position will be compulsory, though most within these two categories will already have a data protection officer.

There will be a right to be forgotten, and free access data provision, but the latter only applies in reasonable circumstances yet to be defined.

These two changes to the law may have the biggest impact for some companies.

The right to be forgotten involves creating an easily recognisable way of requesting personal information is erased, and the request will have to be acted upon promptly.

For most companies this will involve creating a new data protocol, plus many CRM systems do not have an erase facility.

Software changes may have to made.

Access data will be free rather than the £10 than can currently be charged.

For major users of consumer data, such as financial companies, providing members of the public with details of their data files could add up to be an expensive procedure.

Overall the new data law currently looks to be a great deal more commercially friendly than it did in the last announcement, Walsh said, but it would be wrong to assume the latest in the discussions will automatically be the basis of the full and final publication of the law due to be made public at the end of March.

It could be changed back again, and the European Parliament, which was involved in the debate and put forward the most rigid terms, has yet to vote.